DietPi-Software | bitwarden_rs server

[CactiChameleon9]

Creating a software request

Formal software information

• bitwarden_rs
• Unofficial Bitwarden password manager compatible server written in Rust
• https://github.com/dani-garcia/bitwarden_rs (server)
• https://bitwarden.com/ (client)
• https://github.com/dani-garcia/bitwarden_rs/wiki/Building-binary (the non-docker option)

Are there similar/alternative software titles available with DietPi-Software?

• no alternatives that I can see

What makes your requested software better than the above solutions, if available?

• Passwords need to be somewhere you trust, so a self hosted convenient solution is important
• Has a web UI, but maybe you could provide an option to go without to reduce resource usage.

How can DietPi make the installation easier or compatible, than following the install instructions or do APT installation, if available?

• They could provide the bineries or
• Install build depenencies and install in the correct place
• Add to boot/autostart

Can you provide the installation steps that you would suggest DietPi-Software to do?

1. Install dependencies listed, including rust nightly
2. download and build
3. install in /opt or somewhere permanent
4. add to systemd to allow autostart

Are you willing to help maintaining the software installation, e.g. in case of needed setup changes due to updates etc.? This is not needed, but could speed up our decision to implement it, as man power is always a topic 😉.

• I could try, but I am not great at best practices while installing things.

Vote for this software on FeatHub: https://feathub.com/MichaIng/DietPi/+126

[MichaIng]

Many thanks for your request. Looks quite doable. What do you think, SQLite or MariaDB database backend? For small single user or family instances MariaDB is probably overkill (database size very small anyway) on the other hand MariaDB is already used by many other software title and when the MariaDB server is running anyway, it would be a shame to not use it 😄.

[CactiChameleon9]

Gosh, that's a hard choice. I barely know the pros and cons of either, so you'll be more able to choose. If most software on dietpi uses MariaDB anyway, then sure why not - unless there is a major performance hit of either. Since its just a compiler flag you may even be able to provide an option, however it depends on if you want a one click install script or not.

[MichaIng]

Yes an option would be best, however a larger plan to add install options (as well post-install) for many software titles, probably we'll go for a non-choice for now. Do you have an instance running to check the database size? Performance should be better with MariaDB (due to good caching implementation and table-based file writes instead of all data in a single "large" file), but it is itself an own running server that takes disk space and certain stock RAM space for the server process. For a 1 MiB database alone its definitely an overkill 😄 and currently I cannot imagine how a single persons or even families passwords can take much more space, even with hashes and such.

[CactiChameleon9]

No.. I do not have an instance running I'm afraid... but yes standalone it would be overkill. Maybe just go with sqlite to be on the safe side. Is it really be that bad to run mariadb for just it though? I have not actually needed to use mariadb on my server yet its all been sqlite, so that seems to be the one used by most from my findings - I may be wrong though.

[Joulinar]

just an unqualified comment from my side regarding size. I'm using SafeInCloud PW Manager where "database" file is stored on my Synology. I have stored around 150 passwords including own icons. File size is around 2 MB. So defnetly MariaDB would be an overkill. Probably trying to detect what DB is running. If nothing, go for SQLite. Otherwise go for already installed? Yeah probably to much work 😄

[CactiChameleon9]

Thanks @Joulinar, that's really helpful. I wonder how hard it is to detect a mariadb. You could probably check the status of the systemd service and then check that that doesn't return service not found, pipe to a diff command maybe? Or do a service status and then grep for maria?

[MichaIng]

I think we'll go for SQLite for now. In theory detection or option is easy but finally one has to think though a bunch of details to not cause unexpected behaviour of the script. I think we need to find a generic approach for a database preference/selection first, similar to webserver preference, but with the difference that multiple database systems can run nicely beside each other and that not all software can use all database systems.

[CactiChameleon9]

Any advancement with this? Is there any way I could contribute at all?

[MichaIng]

As always: https://github.com/MichaIng/DietPi/wiki/How-to-add-a-new-software-title 😉
My priorities are:

1. Fixing bugs and important updates/maintenance of the software titles we already support (currently in process).
2. Following the votes, especially for software titles which are already on the top for a long time: https://feathub.com/MichaIng/DietPi (I'll implement Bazarr definitely with v6.33)

Of course there are other considerations playing a role as well, e.g. that we have no single standalone password manager in portfolio as well, or Bazarr because it fits and complements the Sonarr/Radarr/Lidarr set perfectly find and setup can mostly be adopted.

So especially for new software requests there need to be someone else starting with the implementation to have it realistically implemented short- or mid-term, I'm afraid.

Btw: https://feathub.com/MichaIng/DietPi/+126
Actually, what are the benefits of the Rust version vs the "original"? https://github.com/bitwarden/server
Okay VS, .NET, I can imagine a Windows server in the first place and heavy-weight 😄.
I added the FeatHub link to the first post, even that I am not sure if the Rust version was in mind, but it should not play a large role as long as the clients work with it.

[anubis-genix]

Besides taking less resources than the official version this one seems to have all premium features unlocked

[CactiChameleon9]

I am actually working on this now, but I am struggling with an error during installation.

Can I have some help please? I can show you my code if need be, when I am done I will make a pull request for your review

[CactiChameleon9]

My code for installing is here, I copied a bit from spotify to check if it was the issue

                        Banner_Installing

                        # Dependencies: https://github.com/dani-garcia/bitwarden_rs/wiki/Building-binary#dependencies
                        DEPS_LIST='pkg-config libssl-dev'
                        # Rust from https://rustup.rs/
                        curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

                        # Download & Install
                        INSTALL_URL_ADDRESS='https://github.com/dani-garcia/bitwarden_rs/releases' # Full path fails wget spider test...
                        G_CHECK_URL "$INSTALL_URL_ADDRESS"

                        LATEST_URL=$(curl -s https://api.github.com/repos/dani-garcia/bitwarden_rs/releases/latest | grep 'zipball_url' | cut -d\" -f4) # Get download url using api
                        no_check_url=1 Download_Install "$LATEST_URL"
                        [[ -d '/opt/bitwarden_rs' ]] && G_EXEC rm -R /opt/bitwarden_rs
                        G_EXEC mv dani-garcia-bitwarden_rs-* /opt/bitwarden_rs

                        # Build
                        G_EXEC cd /opt/bitwarden_rs
                        G_EXEC_OUTPUT=1 G_EXEC cargo build --features sqlite --release
                        G_EXEC cd /tmp/$G_PROGRAM_NAME

                        # Uninstall rust after compiling
                        G_EXEC rustup self uninstall

[MichaIng]

When you use Download_Install function for a non deb/zip/7z/tar file, it will be simply downloaded but requires a target path/name then, like:

Download_Install 'https://example.org/example.jar' /path/to/executable.jar

This is optional for DEB packages since those are simply installed and obsolete for known archives as those are extracted to current directory if no target is present.

[CactiChameleon9]

It is actually a zip file I am downloading, its just not said in the file name

[MichaIng]

Ah I see, but the URL does not represent that: https://api.github.com/repos/dani-garcia/bitwarden_rs/tarball/1.16.3
Let me see, there is another case where we scrape the version via tag_name and then download this particular version archive.

[CactiChameleon9]

Just a thought, shouldn't you check the file type based on the file command instead of on name extension? (also I pressed the wrong button hence the close and reopen)

[MichaIng]

Ah like here:

INSTALL_URL_ADDRESS='https://api.github.com/repos/dani-garcia/bitwarden_rs/releases/latest'
G_CHECK_URL "$INSTALL_URL_ADDRESS"
local version=$(curl -sf "$INSTALL_URL_ADDRESS" | grep -m1 '^[[:blank:]]*"tag_name":' | cut -d \" -f 4)
Download_Install "https://github.com/dani-garcia/bitwarden_rs/archive/$version.tar.gz"

We check the file type based on the URL. We need to know it prior to downloading it since it depends on where it will be downloaded to.

[CactiChameleon9]

OK, thanks a lot. Yeah getting just the version would solve that

[MichaIng]

Ah forget about fallback_url, as this is impossible to be not available as every release has a tag_name and related raw repository archive. We use this when scraping the final download URL directly via browser_download_url entry, where available, and in cases there are multiple releases for multiple platforms we need to scrape for identifying patterns that define its for Linux and/or the devices architecture and these naming conventions can change.

[CactiChameleon9]

A small issue, the rust installer uses path variable changing as it installs locally in the home folder (I remove at the end don't worry). It seems that it is not using that change, hence command not found error for compiling

[CactiChameleon9]

OK, fixed. I have to run 'source $HOME/.cargo/env' instead of "logging out" and back in as I cannot do so in script

[CactiChameleon9]

Is it OK to compile as part of the installation process and should I provide a warning saying this may take a while? (It does still take less time than cuberite on a pi zero however)

[MichaIng]

You can export the variables to have the Rust installed into the correct directory. I just ran into the same issue when trying to install the new Rust-based Firefox Sync Server. Solved it by running rustup as the final run user: #3774 (comment)
That is probably the cleanest method, as it does not depend on multiple variables and all files/dir have correct permissions directly:

• Make the install dir to run users home dir.
• Start rustup as run user, so the whole Rust environment is installed into the install dir.

[CactiChameleon9]

OK... so basically I lost my code in the update 👍 I am redoing now and about to test

[Joulinar]

well I have an old iPhone SE flying round. Will reactive it as I don't use any Apple devices normally.

[CactiChameleon9]

It seems, that people say that you just email the certificate to yourself and open it, and IOS 13+ has a raised standard in certificates meaning it that RSA keys must be at least 2048 bits (source). I don't have an IOS device either BTW.

[MichaIng]

We create a 4096 bit key, so that shouldn't be an issue then 😎.

[Joulinar]

currently installing bitwarden on my RPi4 64bit. But it's taking time :/

[Joulinar]

ok I'm giving up on these iPhone stuff. I tried to upload the certificate but it creates a profile. I don't think this is correct. As well Bitwarden is still complaining about not trusted certificates

[CactiChameleon9]

https://old.reddit.com/r/Bitwarden/comments/ep9qyz/self_signed_certs_iosmacos_issue_solved/ This person here seemed to have managed, could you try those steps @Joulinar? (its ok if not)

[Joulinar]

Hi,

for W10 I did a small guide on our forum. It's pretty strait forward https://dietpi.com/phpbb/viewtopic.php?p=29810#p29810

On iOS, I have the issue at point 4 Goto Settings -> General -> About -> Certificate Trust Settings because It's empty. there is nothing to enable, even if I managed to install profile on point 3. Not sure what I'm doing wrong. Maybe it's the certificate as it has a lifetime of 20 years. As well I'm not sure what files are needed on iOS. On Windows a .crt file is enough.

BTW: should we create the .crt file by default? It's needed on W10 at least. Or make a statement on our online docs
openssl x509 -outform der -in your-cert.pem -out your-cert.crt

[CactiChameleon9]

for W10 I did a small guide on our forum. It's pretty strait forward https://dietpi.com/phpbb/viewtopic.php?p=29810#p29810

Great! Hopefully this can be added to the docs?

On iOS, I have the issue at point 4 Goto Settings -> General -> About -> Certificate Trust Settings because It's empty. there is nothing to enable, even if I managed to install profile on point 3. Not sure what I'm doing wrong. Maybe it's the certificate as it has a lifetime of 20 years. As well I'm not sure what files are needed on iOS. On Windows a .crt file is enough.

Then I am clueless.... I really don't know much about iOS... Maybe it is the 20 years being too much, I am not sure.

Some person here said:

No, you have to create a profile with the certificate in it. The easiest way to do this is to use Apple Configurator (free in the App Store) to create a profile with a Certificate payload. You can then use Configurator to install the profile (and it will automatically enable trust for SSL), or you can export the profile from Configurator and send it to your device via email or text or AirDrop, in which case you'll have to follow the steps in the article to enable SSL trust.

BTW: should we create the .crt file by default? It's needed on W10 at least. Or make a statement on our online docs
openssl x509 -outform der -in your-cert.pem -out your-cert.crt

I say we add it to our online docs for the time being and then make the change to the bitwarden configuration code later - then again its not up to me and I don't know much about certificates either.

[MichaIng]

Many thanks, however for Windows 10 we have a guide already, which is starting with downloading the certificate from within the browser when accessing the web vault. But from opening the certificate file on it matches yours: https://dietpi.com/docs/software/cloud/#bitwarden_rs

Downloading the file via browser should be the easiest method usually. The conversion in Windows 10 is done when storing it to file.

Maybe it is the 20 years being too much, I am not sure.

Please not. If we make it too short, users might start complaining when it expires suddenly, so I thought that a moreless unlimited lifetime is easiest here. But at least it's worth to give it a try, if no one succeeded to import that 20a certificate on iOS yet.

It is a pain that OS'es make it so difficult to manually trust a certificate, starting with the support for all widely used formats. There is no alternative if you do not have a public domain or need it to access local network hosts via local hostnames/IPs. The alternative for such cases would be plain unauthenticated + unencrypted HTTP, which of course is much worse than trusting even an attackers fake certificate.

[Joulinar]

even with a smaller lifetime, I don't see the certificate inside Certificate Trust Settings.

I found a nice guide with pictures https://www.theictguy.co.uk/adding-trusted-root-certificates-to-ios14/
So my issue seems to be the profile. I'm not able to get it into status verified. It stays not verified all the time 🤔

OK found it, just need to figure out how to add 😄 https://stackoverflow.com/questions/63600820/ios-14-self-signed-certificate-not-trustable

[Joulinar]

Success on iOS14.3 😄

Adding following into /etc/ssl/openssl.cnf fixed it

[SAN]
basicConstraints                = CA:TRUE,pathlen:0

I checked it with 700 days atm. Will do more test later. Next to this I need to figure out how to add it to the command line to avoid changing /etc/ssl/openssl.cnf 🤔

[MichaIng]

Great find. Did you find out what is the background of it?

It seems to be a flag to set that this certificate can be used as CA, which is what is done when importing it into trusted CA store: https://manpages.debian.org/buster/openssl/x509.1ssl.en.html#CERTIFICATE_EXTENSIONS
But I can't find something about the pathlen option.
EDIT: Ah, here it is: https://manpages.debian.org/buster/openssl/x509v3_config.5ssl.en.html#Basic_Constraints.

So if you have a CA with a pathlen of zero it can only be used to sign end user certificates and not further CAs.

• Makes sense 👍.

We can add it via command line option, which is currently:

-config <(cat /etc/ssl/openssl.cnf <(echo -ne "[SAN]\nsubjectAltName=DNS:$(</etc/hostname),IP:$(mawk 'NR==4' /run/dietpi/.network)"))

SAN is required for most modern browsers but not defined by default in openssl.cnf and it requires the hostname and IPs added that shall be used to access. So command line option uses the default openssl.cnf and adds SAN options to the end with best guess we can do: local IP and hostname. This alone can btw cause issues already with some clients browsers when accessing via public hostname/IP, in which case a Let's Encrypt cert (or similar) makes sense at latest. However, the setting can hence be added easily:

-config <(cat /etc/ssl/openssl.cnf <(echo -ne "[SAN]\nsubjectAltName=DNS:$(</etc/hostname),IP:$(mawk 'NR==4' /run/dietpi/.network)\nbasicConstraints=CA:TRUE,pathlen:0"))

But I'm still a bid puzzled with the meaning of all of this and why this certificate infrastructure is like it is. More reasonable IMO than dealing with CA/root certificates would be to take it as end user certificate only and trust it like that, despite of being signed by a trusted certificate authority. I tried that in Windows 10 by storing it into some some other certificate storages, but every client/browser seem to only accept it when being stored into the trusted CA storage.

[Joulinar]

After Santa Claus is gone again and finished eating, I did another test. My iPhone SE also accepts the certificate with a term of 20 years. so we just have to add basicConstraints=CA:TRUE,pathlen:0

Edit:
tested the new config string as well without issues 👍

[MichaIng]

Fixed: 8a5d093 (whoops, this is for v6.35 of course 😄)
Changelog: 4973b52

[anubis-genix]

Can we change the /admin page to /bwadmin so it doesn't collide with other services like pihole?

[Joulinar]

usually Bitwarden is running on own port :8001. There shouldn't be any conflict.

[anubis-genix]

You're right, I didn't consider it

[anubis-genix]

I might have found an issue or maybe it's just a messed up config on my side.
I've enabled the admin page in bitwarden_rs.env and did a software reinstall 183 afterwards.
Once the reinstall was done, I wasn't able to login to the admin page anymore, even though the token was correct.
Had to change the token to log back in again. Now even though I've disabled the admin page by uncommenting the admin_token line, it's still accessible. Is this supposed to happen once the admin panel is enabled?
Could someone please verify?

[jvteleco]

@MichaIng A question regarding the Bitwarden installation.
You are building and compiling the binaries, but could you also offer the option to install the docker image ?
So on the dietpi-software install menu, after selecting 183:
Option a) use docker image
Option b)compile and install?

Is just seems a very long compile time (over 60 min on a Rpi3 due to the 2GB of RAM requirement). Since you already offer the portainer as a docker image install, you could also offer this one (there are already available images for ARM Rpi, Odroid, etc. Not sure if compatible with "all" the platforms Dietpi support, https://github.com/dani-garcia/bitwarden_rs/wiki/Which-container-image-to-use) The docker image would definitely save a lot of time and space since no compiling dependencies.

You have done the hard bit of the certificate generation, so just need to link the directories of the certificates to the "official" bitwarden_rs docker image: https://hub.docker.com/r/bitwardenrs/server and I guess follow the HTTPS certificate instructions, that you probably have done with the existing install (https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-HTTPS).
Maybe something like this, using the example of the HTTPS:

I think you first need to move the cert.pem and privkey.pem inside a new "ssl" folder inside the /mnt/dietpi_userdata/bitwarden_rs/ and then:

docker run -d --name bitwarden \ -e ROCKET_TLS='{certs="/ssl/certs.pem",key="/ssl/privkey.pem"}' \ -v /mnt/dietpi_userdata/bitwarden_rs/ssl/:/ssl/ \ -v /mnt/dietpi_userdata/bitwarden_rs/:/data/ \ -p 8001:80 \ bitwardenrs/server:raspberry

Food for thought, I will try it during this week if I can. Thanks.

[CactiChameleon9]

I personally dislike docker because I see it as a waste of resources on a low powered device like a raspberry pi and therefore I believe at least the choice should be provided to the user if we were to add a docker installation method. This isn't my decision though, just wanted to give my opinion. The docker container(s) do support armv6 (RPI 1/0) and armv7 (2/3/4) and aarch64 (3/4) correct? Edit: its arm7 only, which would mean things like pi zeros wouldn't work, dietpi aarch64 installations may work, idk much about multiarch support with docker containers

(Sorry for the incorrect arm names, I have never spent the time to properly learn then)

[Joulinar]

The docker container(s) do support armv6 (RPI 1/0) and armv7 (2/3/4) and aarch64 (3/4) correct?

According DockerHub: yes https://hub.docker.com/r/bitwardenrs/server/tags?page=1&ordering=last_updated

[CactiChameleon9]

Ah... The wiki is wrong. Yep all are supported it seems

[MichaIng]

I tend to agree with @CactiChameleon9 that Docker containers are generally an overhead in terms of disk space+writes and RAM usage at least, simply because it's a whole (though light) OS'isch environment and in case even internal webserver and database and such included. Basically a give-up on the attempt that we aim, to integrate multiple software titles on a native OS level working side by side gracefully. And there are issues by times kernel- and network-wise with Docker containers and the network bridges in general.

We ship the Portainer container, but it is to manage other containers, not a dedicated end user container, and it cannot be installed differently.

In case of Bitwarden_RS I see the issue with the long compiling time and indeed we leave the dependencies in place while the binary alone would be enough. Compiling it all in a tmpfs and copying only the binary to disk raises the already existing issue that the compiling requires very much RAM. It's a balance already between speed and RAM usage (when too high => swapping => slow disk writes again), with the parallel build jobs:

			# Assure 2 GiB overall memory (-100 MiB to avoid tiny swap space) is available and limit concurrent cargo build jobs to 2 if less than 3 GiB memory is available.
			local jobs=
			if (( $RAM_TOTAL < 1948 ))
			then
				G_DIETPI-NOTIFY 2 'Bitwaden_RS build requires at least 2 GiB memory. We will now increase your swap size to satisfy this requirement.'
				/boot/dietpi/func/dietpi-set_swapfile 1
				(( $G_HW_CPU_CORES > 2 )) && jobs=2

			elif (( $RAM_TOTAL < 3072 && $G_HW_CPU_CORES > 2 ))
			then
				jobs=2
			fi

There are no standalone pre-compiled binaries available, but those could be extracted from the Docker image, then packaged together with our service and setup steps into a DEB package: https://github.com/dani-garcia/bitwarden_rs/wiki/Pre-built-binaries

New releases are not done too often, I can write a script and a GitHub action to build and upload those packages on demand, once a new release has been done.

An alternative is this project, but I like to go with an own fully understood way: https://github.com/greizgh/bitwarden_rs-debian

@CactiChameleon9 what do you think about that approach?

Another question, when already talking about Bitwarden_RS: We currently store the web vault to /mnt/dietpi_userdata/bitwarden_rs/web_vault, but actually the directory itself does not contain any configs or something that would need to be preserved on reinstall, does it? So it would better fit into /opt/bitwarden_rs/web_vault as static files, also read-only to the service itself.

[CactiChameleon9]

So you are proposing to extract a binary (to be then packaged in deb form) which is downloaded and installed instead of compiling. That would be fine, as long as the existing builds can support all the archs(which they seem to), but isn't dietpi deigned to be independent of a server (or am I wrong there) - I suppose maybe because its github and not an actual server (won't be shutting down etc.) so its fine. I do like that idea, but would it be better to just extract the binary and leave it at that instead of deb because we can then use most of the existing script at the moment and it stays more independent of Debian versions? (idk really, just throwing ideas around)

I also agree that going with something fully understandble would be better, but if this gets too hard to maintain (e.g. the docker containet changes too much) and that git project is still active then that would be viable

Also the change to /opt makes much more sense considering install the web vault alongside and not as a user installed optional thing

[MichaIng]

I do like that idea, but would it be better to just extract the binary and leave it at that instead of deb because we can then use most of the existing script at the moment and it stays more independent of Debian versions?

Extracting the binary requires either Docker or a special Docker container extraction tool, and implies the large container download etc, hence the idea to do that ourself. Whether we then host the resulting binaries only on dietpi.com or a DEB package, doesn't make much difference and we can move the configuration and uninstall code just into the packages postinst/postrm scripts. The Debian version dependency of DEB packages comes from the package dependencies and used shared libraries. The Rust binary however is completely standalone with all dependencies build into the binary, if I'm not mistaken, it does not even require SQLite being installed (that I just verified). So we don't need to add any dependencies to the package and don't need to worry about any wrong or missing shared libraries of the particular Debian version.

DEB packages have the benefit that their contained files can be easier identified, config files better handled with the conffiles standard, easier clean removal can be performed and such. Only issue is that it gives less control over the individual config steps in pre/post-inst/rm scripts, so not a single step can be error-handled and repeated, but only the whole install. Another benefit is that it can be included into an APT repository, which I aim to create at some time in the future. So whenever hosting new binaries on dietpi.com, I do it already as DEB package for a while 😉.